[dev] External access tickets
jan at horde.org
Mon Mar 11 16:41:40 UTC 2019
Zitat von Michael J Rubinsky <mrubinsk at horde.org>:
> Quoting Ralf Lang <lang at b1-systems.de>:
>> I need to provide throwaway access to some shared resources in a
>> horde_shares based application.
>> This means, the subject to grant access to will not be a horde user, but
>> access will not be granted globally.
>> Think of a scenario where you want to give - potentially time-limited,
>> revokable - access to a calendar, addressbook, file or similar resource
>> to an external party.
>> Strategies to implement
>> - Have an application specific table with some auth string, related
>> resource ID, expiry date
>> - Make this a feature of Horde_Shares (separate table app_sharesng_tickets)
>> - Make this a feature of the RPC/Rest/access stack.
>> What would make most sense / have a chance for committing back into Horde?
>> - have a separate vhost with a separate auth table/source but shared
>> application/resource tables.
> Is the idea to grant API access only, or full UI access?
> I'm not sure the Horde_Shares strategy would work, though I honestly
> like that as an idea the best. How would we be authenticated to the
> actual application?
> It would be great if we could use this as a basis for a full
> role-based authentication and claims system.
I agree that using Horde_Shares for this makes most sense. We
implement all permissions there already anyway, so we still have a
single point to check for resource permissions.
As for the application access: the application-permission-system could
maybe hook into Horde_Shares to allow overriding of individual
application's permissions, so as to allow non-authenticated access to
guest shares or ticketed resources.
The Horde Project
More information about the dev